On Tue, 18 Dec 2012 22:53:29 +0100 Polytropon wrote: > On Tue, 18 Dec 2012 21:32:50 +0000, RW wrote: > > On Tue, 18 Dec 2012 21:01:33 +0000 (UTC) > > Walter Hurry wrote: > > > > > $ sudo /usr/libexec/locate.updatedb > > > >>> WARNING > > > >>> Executing updatedb as root. This WILL reveal all filenames > > > >>> on your machine to all login users, which is a security risk. > > > $ > > > > > > Why is it a "security risk"? Security through obscurity? Really? > > > In this day and age? > > > > > > Or am I missing something? > > > > If permissions have been set to prevent other users reading > > filenames then obviously leaking file names is security issue. > > There are no "leaking file names",
There is from the perspective of an ordinary user that's configured directories under ~ to be confidential. > as by command, the tool does > what it is requested to: to not obey the restrictions that apply > in its _normal_ use and list _all_ file names instead. Obviously. But the warning is intended for people that haven't thought through the consequences of what they are doing. On Tue, 18 Dec 2012 22:49:43 +0100 Bas Smeelen wrote: > Yes. But as stated before it defaults to run as user nobody. > > Line 26 /etc/periodic/weekly/310.locate > echo /usr/libexec/locate.updatedb | nice -n 5 su -fm nobody || rc=3 This is true but not very relevant. It runs as nobody from the periodic script, but the warning comes from locate.updatedb itself, which may be run independently of 310.locate. > If someone runs it as root it can be, as everything being run as > root, a security issue. Not really, mostly when things are run as root there is an additional risk. Very few things do the wrong thing simply as a consequence of running as root so it warrants a warning. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"